OASIS-SAML-2-0
OASIS SAML 2.0 SSO federated identity XML-based 2005.
Définition
SAML 2.0 key concepts : (1) Assertions : XML documents containing Authentication Statement (when + how user authenticated), Attribute Statement (user attributes name + email + groups + custom), Authorization Decision Statement (whether user authorized for resource), digitally signed by IdP. (2) Protocols : Authentication Request Protocol (SP requests authentication user IdP), Single Logout Protocol (SLO logout from all SPs), Artifact Resolution Protocol, Assertion Query and Request Protocol. (3) Bindings : transport mechanisms (HTTP Redirect Binding, HTTP POST Binding most common Web SSO, HTTP Artifact Binding, SAML SOAP Binding, etc.). (4) Profiles : combinations of assertions + protocols + bindings for specific use cases (Web Browser SSO Profile most popular, Enhanced Client or Proxy ECP Profile, Single Logout Profile, etc.). (5) Components : Identity Provider (IdP), Service Provider (SP), User Agent (browser typically), Metadata XML (describes IdP/SP capabilities + endpoints + certificates). Comparison OIDC OpenID Connect (modern alternative based OAuth 2.0 + JSON-based) : SAML SOAP-XML heavyweight + better for enterprise legacy + Browser SSO traditional, OIDC lightweight + JSON + better for mobile + modern web apps. SAML 2.0 remains dominant enterprise SSO (~70% large enterprises) due maturity + ecosystem.
Origine
SAML 1.0 OASIS Standard 2002 ; SAML 1.1 OASIS Standard 2003 ; SAML 2.0 OASIS Standard 15 mars 2005 ; ongoing maintenance OASIS SSTC.
Exemple en contexte
Salesforce.com enterprise customer uses Okta IdP for SSO into Salesforce SP via SAML 2.0 Web Browser SSO Profile : user clicks Salesforce login, Salesforce redirects browser to Okta with SAML AuthnRequest, Okta authenticates user, Okta redirects browser back to Salesforce with SAML Assertion (signed XML containing user attributes), Salesforce validates assertion + grants session.
Termes liés
- W3C DID — modern alternative.